From 576cd1a8edecf35f272fa8f67850fcb007ec2aa4 Mon Sep 17 00:00:00 2001
From: Joseph Heenan <joseph@heenan.me.uk>
Date: Thu, 16 Apr 2026 12:23:36 +0100
Subject: [PATCH] fix: accept application/jwt on VCI credential endpoints

OID4VCI encrypted credential requests are sent as a JWE with
Content-Type: application/jwt, but the endpoints only advertised
application/json, so JAX-RS rejected them with 415 before the
handler ran. Accept both media types; the Authlete parse APIs
already handle JWE decryption downstream.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
---
 .../authlete/jaxrs/server/api/vci/BatchCredentialEndpoint.java  | 2 +-
 .../com/authlete/jaxrs/server/api/vci/CredentialEndpoint.java   | 2 +-
 .../jaxrs/server/api/vci/DeferredCredentialEndpoint.java        | 2 +-
 3 files changed, 3 insertions(+), 3 deletions(-)

diff --git a/src/main/java/com/authlete/jaxrs/server/api/vci/BatchCredentialEndpoint.java b/src/main/java/com/authlete/jaxrs/server/api/vci/BatchCredentialEndpoint.java
index c934c9d..81d8d0c 100644
--- a/src/main/java/com/authlete/jaxrs/server/api/vci/BatchCredentialEndpoint.java
+++ b/src/main/java/com/authlete/jaxrs/server/api/vci/BatchCredentialEndpoint.java
@@ -46,7 +46,7 @@
 public class BatchCredentialEndpoint extends AbstractCredentialEndpoint
 {
     @POST
-    @Consumes(MediaType.APPLICATION_JSON)
+    @Consumes({ MediaType.APPLICATION_JSON, "application/jwt" })
     public Response post(
             @Context HttpServletRequest request,
             @HeaderParam(HttpHeaders.AUTHORIZATION) String authorization,
diff --git a/src/main/java/com/authlete/jaxrs/server/api/vci/CredentialEndpoint.java b/src/main/java/com/authlete/jaxrs/server/api/vci/CredentialEndpoint.java
index efac573..f5252e7 100644
--- a/src/main/java/com/authlete/jaxrs/server/api/vci/CredentialEndpoint.java
+++ b/src/main/java/com/authlete/jaxrs/server/api/vci/CredentialEndpoint.java
@@ -47,7 +47,7 @@
 public class CredentialEndpoint extends AbstractCredentialEndpoint
 {
     @POST
-    @Consumes(MediaType.APPLICATION_JSON)
+    @Consumes({ MediaType.APPLICATION_JSON, "application/jwt" })
     public Response post(
             @Context HttpServletRequest request,
             @HeaderParam(HttpHeaders.AUTHORIZATION) String authorization,
diff --git a/src/main/java/com/authlete/jaxrs/server/api/vci/DeferredCredentialEndpoint.java b/src/main/java/com/authlete/jaxrs/server/api/vci/DeferredCredentialEndpoint.java
index 1b20f8f..fdd1748 100644
--- a/src/main/java/com/authlete/jaxrs/server/api/vci/DeferredCredentialEndpoint.java
+++ b/src/main/java/com/authlete/jaxrs/server/api/vci/DeferredCredentialEndpoint.java
@@ -47,7 +47,7 @@
 public class DeferredCredentialEndpoint extends AbstractCredentialEndpoint
 {
     @POST
-    @Consumes(MediaType.APPLICATION_JSON)
+    @Consumes({ MediaType.APPLICATION_JSON, "application/jwt" })
     public Response post(
             @Context HttpServletRequest request,
             @HeaderParam(HttpHeaders.AUTHORIZATION) String authorization,